docs: add service README.md files + update AGENTS.md decisions

- Create README.md for 25+ service modules with container info, API surface, storage
- Document attestor-tileproxy separation rationale (air-gap network isolation)
- Document opsmemory-advisoryai separation rationale (resource isolation, blast radius)
- Update Timeline AGENTS.md with merged indexer info

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

src/Timeline/README.md

@@ -0,0 +1,24 @@
+# Timeline
+
+**Container(s):** stellaops-timeline-web
+**Slot:** 24 (timeline)  |  **Port:** 8080  |  **Consumer Group:** timeline
+**Resource Tier:** light
+**Network aliases:** `timeline.stella-ops.local`, `timelineindexer.stella-ops.local` (backwards compat)
+
+## Purpose
+The Timeline module provides a unified, HLC-ordered event timeline across the entire platform. It aggregates audit events from Authority, JobEngine, Policy, Evidence Locker, and Notify via HTTP polling and direct ingestion. It also serves timeline indexer query and evidence linkage endpoints (previously in separate timeline-indexer-web and timeline-indexer-worker containers, now merged).
+
+## API Surface
+- `/api/v1/audit/*` — unified audit aggregation, anomaly detection, export
+- `/api/v1/timeline/*` — timeline indexer event CRUD, indexed queries, evidence linkage
+- `/api/v1/timeline/hlc/*` — HLC-ordered event queries, replay, export
+- `/timeline/*` — bare-prefix indexer endpoints (direct access)
+
+## Storage
+PostgreSQL schema `timeline` (via `Postgres:Timeline:ConnectionString`); Valkey for eventing
+
+## Background Workers
+- `TimelineIngestionWorker` (hosted service) — background event ingestion from NATS/Redis (transports disabled by default)
+
+## Merge History
+- Timeline Indexer (Slot 23) was merged into Timeline (Slot 24). The `timelineindexer.stella-ops.local` network alias is preserved on the timeline-web container for backwards compatibility.